Welcome to Women of DevOps, part eight! Today, we’re speaking with Stefania Chaplin, Solutions Architect at Secure Code Warrior. She’s basically a DevSecOps pro that advises companies on how to secure their systems. I got the chance to ask her about the whole ‘security is an onion’ thing (implying it has many layers) and her answer was spot on.
Without further ado, meet Stefania!
‘Til next time,
The Women of DevOps, Ep. 8
Can’t listen to the audio? Read on below for a transcript of our conversation.
Rox: Hey, everyone. Thank you all so much for joining us for another episode of Women of DevOps! Today, we’re joined by Stefania Chaplin. Hi!
Stefania: Hi Rox! How are you?
Rox: I’m good, thank you! To start, could you tell us a little bit about yourself?
Stefania: Sure! Hi, everyone. My name is Stefania Chaplin. I am a Solutions Architect for EMEA, which is Europe, Middle East, and Africa, working for cybersecurity. So very much background in security/DevSecOps – and I used to be a developer a while ago as well.
Rox: Very nice. You’re actually my first DevSecOps woman. I’ve been dying to talk about this stuff. So what got you involved in the field? Has security always been a passion of yours?
Stefania: So it’s interesting with the passion question, because I often find when I’m talking to clients and I’m talking about developers and DevSec about developers – people with an interest in security are either really passionate, or really paranoid. And I think to me it’s both because it used to be interest, then it became passion. Now I’m disseminating my knowledge in my friends and network groups about, “Guys, we have to be careful about phishing emails.” It’s one of those roles that kind of just happened. I got it reaching through recruitment. But my entire mentality with life is: always go for growth and you’ll always be employable. I find that working in cybersecurity, as long as there’s money and tech is growing, there are probably gonna be hackers, so security’s a fairly safe bet.
Rox: Oh, yeah. My partner is actually a DevOps manager and he’s super interested in DevSecOps too, so this has a special interest to me. So let’s talk security a little bit. What does the phrase “security is like an onion” mean to you?
Stefania: Sure. So one of the first talks I saw was a virtual event, before virtual was cool. Like a few years ago, before it was everywhere. I saw a talk – I think it was an All Day DevOps – and it was talking about security, but it was in relation to a house. So you would say, “Okay, so you’ve got some valuables in your safe. You’ve locked the front door, but the safe door is open. Someone breaks through the front door, they can just walk in and get to the safe.” That was one slide – it was all stick figures. And then the next slide, they’re like, “Okay, what do you want to do? You want to lock the safe, you want to lock the windows, you want to have a really good multiple door lock, you want to have a perimeter fence, you want to have someone driving around in a car around the fence.”
I think that’s what resonates to me, because security is an onion: you need all these layers. It’s so accurate, because you’re as strong as your weakest link and if you only have a front door lock, guess what, if that fails – which ultimately, everything will fail. You need to have backups in place to help with that.
Rox: That’s perfect. What are some challenges that someone could face when trying to implement security policies?
Stefania: I think it really depends who you are, because if you’re a CISO, I think the challenges are going to be slightly different, because you can do what you want. If you are a developer that has an interest in security but you don’t necessarily have the clout, something that you can do is have the research. I speak a lot to developers – I’m an ex one – and there’s loads of free tools that you can just try out. Why don’t we scan our application? Why don’t we see if we do have any vulnerabilities, and do we even know what they mean?
I talk a lot about username enumeration, because I ask developers and I ask security, “What does that actually mean to you?” And the developer starts talking about type Enum – and I get that. And then I tell them what it actually means, and they’re like, “Oh, yeah, that thing! That affected me in the past.” So I think it really depends who you are.
If you’re a security manager as well, then you’ve got the whole thing of like, “Okay, this is my domain, and I have remit but where do I start?” And then you have the whole policy – who controls the policies? Who do I need to speak to? You get layers of bureaucracy. So I think it really depends on who you are and what you’re trying to implement. It’s a big topic you’ve got in that question.
Rox: Mmhmm. So let’s say it’s for a ‘you’ type. Have you ever gotten pushback?
Stefania: I’m in a unique position because I work for a cybersecurity vendor. I normally advise clients in terms of what I would recommend, and what I tend to recommend is to almost do a security audit, just to see. Have you looked at your open source? Have you looked at your perimeters? Let’s do a couple of scans and see where the most red flashing lights are and then maybe we address that. For example, at Secure Code Warrior – in DevOps, you always talk about shifting left. Secure Code Warrior about starting left. It’s like, actually, why don’t we upskill and inspire our developers to write secure code, because then we won’t have vulnerabilities in the application. So it’s very much about looking at the scope of the project, and then going for the high priority. What’s on fire? Let’s fix that fast.
Rox: This wasn’t in my list, but I’m interested in your company, can you tell us a little bit about that? What brought you to them?
Stefania: Sure! So I work for Secure Code Warrior, and our vision is to inspire developers to ship quality software. It’s a very preventative human-led approach. And what we do is, if you look at where code vulnerabilities are introduced, it’s at the code level, but if you look at where it’s found, it’s normally found at the testing level. I think security in the, say, in the past 10 years, the attitude’s been, “Let’s just add more and more testing.” We’ve got static testing, we’ve got dynamic, we’ve got runtime, we’ve got all the application security testing tools. My favorite now is I just use a capital X, because that means cross all the tools.
Unfortunately, you can’t scan your way to secure code. You can find the problem and security, like “Yeah, we found the problem, there’s a problem!” And then the developers – the favorite thing I like to have on a slide is – developers find a way to fix the problem. Is it the best way? Is it an efficient way? Are they happy? Is it confusing for them? Do they even know what they’re doing? That’s a different question. So what we try to do is, we help upskill them, and we do this as well in a game-like format. We have structured learning, we have tournaments. What we’re trying to do is make it fun, because I often talk – when I talk about this, I’m like,”How was it doing this tournament, winning prizes, versus sitting in a non-air conditioned room for two days on classroom-based training?”
You can have gamified, you can have non-gamified, you can do structured learning, you can have integrations with ticket management, IDs, etc. It’s very much about understanding the developer, and helping inspire them and upskilling them so they don’t introduce these security vulnerabilities.
Rox: That’s awesome. Thank you for sharing that. So out of all the areas of DevSecOps, what is your favorite aspect to work with?
Stefania: Ooooh, I was thinking about this question! There’s just so many, it’s so hard! I personally really like learning things, and I find a lot of the aspects interesting because of my background – I’m a developer – and then I went to go out in security, but I’ve never done Ops. I find that really interesting, but I don’t like it that much.
I do talk a lot about cloud security, because you see the growth of the cloud – you see the revenue numbers for AWS last quarter was 30% year on year growth. 13 million or billion – it was a big number. It was 13. And the others, GCP and Microsoft (Azure), have grown 40-50%. So you see this growth in cloud and it’s like, guess what, there’s going to be security vulnerabilities.I’m really enjoying playing around with that.
Then there’s the whole other aspect because you’ve obviously got the code that’s being written, you’ve got API, you’ve got different ways of accessing – so you’ve got web, mobile, desktop. There’s just so much, so that hasn’t helped.
I want to say everything, but hopefully those were a couple of the ones to inspire.
Rox: “Everything” is a valid answer. [laughs] I saw that you have a computer science degree, so how do you feel about bootcamps?
Stefania: Yeah, well, this is the irony. I don’t talk about this bit too often, but when I was doing my computer science degree, I remember last year, I was like, “Why have I done this?! I just want to be a makeup artist, I don’t want to do tech!” I nearly changed my degree so many times. I had further maths at school so I was always math-y. I was capable of it, but I wasn’t really enjoying it.
The reason I did computer science is pre-Lehman Brothers. I was like, computers are going to be in the future no matter what. I don’t know what I want to do, I’m only 17, and if I do it, I’m going to be sorted for life.
I graduated, and then I went to go work in makeup. Then I actually worked in sales, recruitment, HR – I jumped a lot in my 20s. I think it was around 27, when there was a lot of – I want to say political instability, like Brexit, it was that summer – and I was like, “Oh my god, I’m a girl that can code, I’m a unicorn!” But what I found the challenge was that I had not done anything technical in about three or four years. So actually, I kind of did a self-bootcamp. I had the foundations a bit from school and from learning, but what I ended up doing was going to meetups three or four times a week, and I was doing online courses. I did lots of Udemy ones and Codecademy. Although I was working during the day in HR, in the evenings, I needed to be networking or learning. So I did my self-bootcamp for six months.
I managed to build a portfolio, and then I managed to get a job at a startup, so I’m really pro-bootcamps. But I just say – with any type of learning – it’s important to have a portfolio at the end. And I know – I know what it’s like. A lot of people like, “Oh, but it’s not good enough!” But that’s fine, because then you’ll show progression! Because you’re like, “Oh, I wrote this two months ago and I know that it could be better because of x, y, z, maybe I’ll refactor it one day. But now look at what I can write. I’m an amazing, excellent learner!” I’m really pro of bootcamps, online learning, anything, as long as you have an output at the end, which you can then use to be employable.
Rox: That’s really great. Okay, you mentioned ‘girl in tech.’ So I’m gonna go to that. [laughs] What has your experience been like so far, as a woman in tech?
Stefania: Yeah! So it’s interesting, because I’ve jumped around a lot, as I mentioned, in my career. I worked in makeup, which was almost all women and gay men. When I was in sales, recruitment, HR, etc, it was actually about 50/50. And then working in tech, it’s obviously majority men. But my current company, Secure Code Warrior, our diversity is awesome! It’s 40-50% women, it’s amazing. I love it.
Stefania: I know! At other places I worked the stat was more like 4-5%. So I’m used to that industry. But what I find is, I kind of use it – I say I use it to my advantage, but I’m all about inspiring future women to be in tech and speak, because it’s a great place to be. You’ll be employable, you’ll earn money. What I find as well is that while sales was a bit cutthroat, in tech, because it’s a collaborative environment, the background of, say, open-source and how people want to work, intelligent people are working together and collaborating to fix problems, what I find is that everyone’s really helpful.
They’re like, “Oh, yeah, I’d love to work with you on this project.” As long as you brief them appropriately, “Hey, I’m working on this…” I kind of have to – not ‘prove’ it, but like, “Look, I know what I’m talking about. This is what I need. What do you think?” Then, everyone’s really receptive. I’ve had some great collaborative projects globally. And I’m happy to say it’s because of being a woman, but I think sometimes it helps because it does make me stand out a bit more. So you know, use it to my advantage.
Rox: So pretty positive experience, then.
Stefania: Yeah, well that’s the thing – when I was in other industries, being a woman wasn’t as positive – but tech, yeah, it’s going great! [laughs]
Rox: It’s so weird. I get such broad answers with that. I’ve had some women that have had super great experiences. I’ve had women that I’ve had the worst experience ever. It seems like it really depends on the person.
Stefania: I was at a friend’s birthday dinner maybe a month ago, and I was talking with someone who was working in an organization – it was airlines, but more in the cargo department. They were telling a story of how they were the one woman and that was like 12 men. The attitude was very 1950s, and she actually was referred to in the meeting as the woman. “Oh, yeah, it’s great. She’s here taking the notes.”
I’m really grateful I’ve never had that derogatory treatment towards me, because if it was, I’d be like, “Excuse me. Do you know who you’re talking to?” [laughs] So yeah, tech so far has been good. I found that people are willing to listen to what I have to say, because it’s great. [laughs]
Rox: So in order to help other women have the kind of experience that you have then, is there any advice you could give to men to help women feel more welcome and comfortable going into tech?
Stefania: Yes. I think in tech, in general, the men have been okay so I will talk about this – and it’s not specifically in tech – but I read a lot of feminist literature. There was one – it was more like a help guide, I think it was like a feminist something like Bad Bitch Bible. But it had a whole chapter, stuff like mansplaining, manterrupting. So when a man explains something, like my American friend who’s English, someone tried to explain Brexit to her. She’s like, “I lived in the UK for the first 18 years of my life. Thanks.” Or, like, you know, being explained what is a motorcycle, I’m like, “Uhhh, we don’t need – I know.”
Those kinds of things – which I think some men, because they’re like, “Yeah, I’m ambitious, and I want to be the voice and I want to go ahead,” they can overshadow women sometimes. I think women, because of society, culture, the world, they can sometimes be a bit more quiet, reserved, even submissive. I think the way to be a strong ally for women in tech is to reach out to any women you’re working with – because there are probably not that many – and be like, “Hey, how’s it going? Just wanted to touch base, let me know if you need any help or anything. I’d love to collaborate with you.”
Obviously don’t make it sound like you’re trying to do their job or you think that they’re not very good, but just in kind of a friendly atmosphere. And then obviously, when you’re in a meeting, if anyone does interrupt or speak over a woman – which would normally, in my instance, be a man, I’d be like, “Oh, sorry. Yeah, Rox? What were you saying?” And then kind of looping that back in. And then, if necessary, going to the man who interrupted, on the sides, “FYI, I don’t know if you’re aware of this, but you have a habit of interrupting.” Don’t just point at the woman be like, “Yeah, it was Tom as well,” because sometimes women feel interrupted or demeaned and that can really make them shell up. That’s not what you want. You want women to have a voice and I think that can be hard sometimes.
Rox: Oh yeah, absolutely. There was a video not long ago that went viral. This woman in STEM. She was in college class. She recorded every time she got interrupted by another man in her classes. I think it was something crazy, like 17 times or something. So not cool.
Stefania: Whoa. Exactly. Yeah. I saw – there was a meme. It was a woman, I think it was in science, but she was speaking at a conference. The man at the – someone in the audience was like, “Actually, what you’re saying is wrong. You need to read McGregor et al Research.” She just moved her hair, and on her nametag, she’s like, “I am McGregor.” [laughs] That kind of thing. Basically, if you’re a man, don’t be a dick. That’s my advice.
Rox: [laughs] That’s great, oh man… So this is not tech related at all, but when I was stalking your LinkedIn, I saw that you had a stint as a turtle conservationist. Mind telling us about that? [laughs]
Stefania: Yeah! I hadn’t thought about that in a while. Sometimes I forget it’s on my LinkedIn. But yeah, when I was 17, I – I’m based in London, so for me, Mexico was far away. I went to Mexico’s West Coast, near Guadalajara, to go save turtles as a two week conservation project. It was very fun and character building. I’ve been to Western Europe, but I’d never traveled across the Atlantic before. And then to go into a country like Mexico, where the climate, the culture – thankfully, I speak Spanish, so that helped a bit. It was a really awesome experience. I really enjoyed it. It was great.
Rox: Nice. And before I let you go, is there anything else you would like to share?
Stefania: Well, I was having a think about this, because I always do loads of stuff. There’s always loads of public speaking, obviously this is a podcast – there’s loads of stuff with me. But I don’t want to use this moment to talk about me, I want to use this moment to talk to whoever’s listening to this or reading the transcripts.
My whole ethos is about improving diversity. I remember when I started in tech, and I didn’t have any – I remember actually, I noticed in my team, there were no women. And then I joined the global call on the Friday afternoon in my first week, and there were like 15 men. I was like, “Oh, I’m the only woman.” There were no women in senior leadership either.
I was like, I’m gonna need to be the role model that I want to see so I can inspire others. We had an America trip, and one of the board of directors came, and she was like, a really good VC – she was actually Ann Winblad, she’s awesome. I put my hand up – it was only my third or fourth month – and I was like,”What can we do to improve diversity?” And she said, “Visibility.” I really took that on board, which is why I have a habit of always saying yes to everything, doing business development for my own events, because I think if I put myself out there, it will encourage future generations.
Unfortunately, if we look at the world, we’re not all middle aged white men. But when we look at tech, that’s the dominant demographic. So it’s really about having those other people, those different viewpoints so that we can work together, diversity, inclusion, bring them all. I think at least for me, it starts with public speaking. So if there are people out there, start blogging! Start blogging, do an internal presentation to your team about something you learned on the weekend or in the evening or something cool, data or whatever. Then you can slowly branch out. That’s another thing about being a woman: conferences love me, because I’m like, “Hi, I’m a woman in tech, and I’m going to talk about something technical” and it’s like, “Quick! Keynote!” [laughs] So yeah, to anyone who’s out there reading or listening: have you thought about public speaking? So yeah, that’s my closer. [laughs]
Rox: Thank you so much for your time. It was a great conversation.
Stefania: Awesome. Thank you so much for having me.
Looking to learn more about Stefania? Join her at DevSlop today.
See you next month!